index_168
Router Security Configuration Guide
UNCLASSIFIED
168
UNCLASSIFIED
Version 1.0g
identified by a map-name and a positive integer sequence number (called seq-num
below). The map-name used can represent one or more crypto maps, while the
sequence numbers are used to set the priority for two or more crypto maps with the
same name. If two or more crypto maps with the same name are used, those with
lower the sequence numbers have higher priority. The following example shows the
construction of a single crypto map for the North and Remote routers, which combine
the previously entered configuration information. See Configuring IPSec Network
Security in the Cisco IOS 12.0 Security Configuration Guide to learn more about
crypto maps. The syntax for the crypto map command is: crypto map map-name
seq-num ipsec-isakmp.
Configure the IPSec crypto maps using the following commands:
North#
North# config t
Enter configuration commands, one per line. End with CNTL/Z.
North(config)# crypto map pipe-1 1 ipsec-isakmp
! The name pipe-1 is an arbitrary name
North(config-crypto-map)# match address 161
North(config-crypto-map)# set peer 7.12.1.20
North(config-crypto-map)# set transform-set set1
! The following are optional, they limit the length of time and
! number of bytes the tunnel is good for data protection before
! automatic rekeying occurs
North(config-crypto-map)# set security-assoc lifetime kilo 80000
North(config-crypto-map)# set security-assoc lifetime sec 26400
North(config-crypto-map)# exit
North(config)# exit
North#
and
Remote#
Remote# config t
Enter configuration commands, one per line. End with CNTL/Z.
Remote(config)# crypto map pipe-1 1 ipsec-isakmp
! The name pipe-1 is an arbitrary name
Remote(config-crypto-map)# match address 161
Remote(config-crypto-map)# set peer 14.2.0.20
Remote(config-crypto-map)# set transform-set set1
! The following are optional, they limit the length of time and
! number of bytes the tunnel is good for data protection before
! automatic rekeying occurs
Remote(config-crypto-map)# set security-assoc lifetime kilo 80000
Remote(config-crypto-map)# set security-assoc lifetime sec 26400
Remote(config-crypto-map)# exit
Remote(config)# exit
Remote#
The command show crypto map will display the following information on the
North router (assuming no other crypto maps have been entered):